Wednesday, January 17, 2007

Securing Java EE 5 Web Applications

In this post I will give a brief overview of securing web applications in Java EE 5 with the help of a simple example. The example application consists of a Servlet (securityServlet) and two pages (index.jsp and secure/index.jsp). Two users (newemployee and newguest) with roles employee and guest, will be created, with the following permissions

The "guest" user will have access to index.jsp

The "employee" user will have access to secure/index.jsp.

Both users have access to the servlet.

This example was developed on Eclipse and run on Glassfish application server. Follow these steps to implement the example

Create Users in Glassfish

Go to Configuration->Security->Realms->file in the Glassfish admin console.

In the file realm, click on manage users.

Add new users by clicking on add there.

The Web Application

The Web Deployment Descriptor: The following listing shows the complete deployment descriptor used for this example, followed by a quick explanation.

In the servlet declaration, the <security-role-ref> element maps the rolename used in the servlet to role declared in the deployment descritpor (this is needed only when the role declared in the deployment descriptor is different from the role used in the servlet (employee and emp)).

In the login-config, the <realm-name> element is used to declare the realm in which authentication takes place

Realms: A realm is a database of users and groups that identify valid users of a Web application and are controlled by the same authentication policy. Three realms, file, admin-realm, and certificate realms come preconfigured in Glassfish Application Server. For this example I use the file realm, where the user credentials are stored locally in a file.

Mapping Roles to Users/Groups in Security Realm: In order to map the roles used in the application to the users defined in the security realm, you have to add the role mappings in the WEB-INF/sun-web.xml. The file is shown below.

out.println(request.getUserPrincipal() + " is an Authorized User"); else out.println(request.getUserPrincipal() + " is not an Authorized to see this page.");}}

SecurityServlet.java

The @DeclareRoles annotation is used to define the security roles in the application. This annotation is specified on a class, and it typically would be used to define roles that could be tested (i.e., by calling isUserInRole) from within the methods of the annotated class.

The isUserInRole() method is from J2EE.

The login page: The following is the listing for the login.jsp page. There is nothing new here.

In the security constraints tag, instead of * you will instead have individual JSPs and /secure/jsp1.jsp etc. and have different roles attached to them. But if you have too many such JSPs then it will be difficult to manage them through the deployment descriptor and you will be better off using a third party security manager like IBM's Tivoli Access Manager or SiteMinder.